Web Tracking Advances Beat Privacy Defenses

Technologies such as canvas fingerprinting, evercookies, and cookie syncing prompt new call for privacy regulation.

Internet Of Things: 8 Pioneering Ideas

(Click image for larger view and slideshow.)

Researchers warn that advances in online tracking have made it difficult even for sophisticated computer users to protect their privacy -- and call for further regulatory intervention.

In a research paper, computer security experts from Princeton University and KU Leuven University in Belgium describe three recently developed online tracking mechanisms that can be used to track and potentially identify users across different websites without their knowledge or consent.

These technologies -- canvas fingerprinting, evercookies, and cookie syncing -- represent what the researchers characterize as an ongoing arms race against privacy. Built using recently developed Web APIs, these tracking techniques are designed to be less susceptible to erasure and blocking than traditional HTTP cookies, which can be cleared and avoided through browser controls.

Online advertising companies want to understand consumer behavior online and they gain this understanding by building interest profiles based on the websites individuals visit. But when people clear the cookie files that websites place on their computers or block them, advertisers may be left in the dark about who is seeing their ads.

To preclude this possibility -- which makes advertising less effective and less profitable -- online advertising companies have been experimenting with more reliable ways to get information about website visitors.

In their paper, the researchers say that they found 5% of the top 100,000 websites using canvas fingerprinting. This is a tracking technique that utilizes HTML5's Canvas API to draw an invisible picture in the user's browser window. This picture is then converted into an alphanumeric code so it can serve as a "fingerprint," a unique identifier associated with a specific user. In and of itself, this code does not reveal the user's identity, but identity can often be determined through other means and may end up being associated with other user data.

A single online advertising company, AddThis, is responsible for most of the canvas fingerprinting (95%), according to the paper. Canvas fingerprinting scripts were also found associated with 19 other domains or companies, including Ligatus, a German digital marketing firm, and Pof.com, operated by Canada's PlentyofFish Media.

A spokesperson for AddThis was not immediately available.

In an interview with ProPublica, AddThis CEO Rich Harris said his company has been testing canvas fingerprinting as an alternative to traditional cookies, has only used the data internally, and will allow people to opt-out if they install the company's opt-out cookie.

Two other tracking mechanisms are discussed in the paper alongside more established alternatives to HTTP cookies like Flash cookies. Evercookies circumvent user efforts to clear cookies "by abusing different browser storage mechanisms to restore removed cookies." And cookie syncing is described as a way to bypass a browser privacy mechanism known as the Same-Origin Policy, intended to limit the information available to software associated with a specific Web domain.

There are some defenses available, such as Disconnect. But the researchers expect individuals will have problems trying to protect their privacy. "It is doubtful that even privacy-conscious and technologically-savvy users can adopt and maintain the necessary privacy tools without ever experiencing a single misstep," the paper states.

The researchers conclude by urging standards bodies like the World Wide Web Consortium (W3C) to consider the privacy implications of new Web technology at the design stage. They suggest that a viable approach to online privacy needs to include technical efforts buttressed by regulatory oversight.

In its ninth year, Interop New York (Sept. 29 to Oct. 3) is the premier event for the Northeast IT market. Strongly represented vertical industries include financial services, government, and education. Join more than 5,000 attendees to learn about IT leadership, cloud, collaboration, infrastructure, mobility, risk management and security, and SDN, as well as explore 125 exhibitors' offerings. Register with Discount Code MPIWK to save $200 off Total Access & Conference Passes.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

"This will be an ongoing battle as so many companies depend on adverstising revenue and adverstisers clearly have the lobbying clout and feel they are entitled to invade your privacy more and more. I don't know which is worse anymore, American Businesses, the Government or the Hackers. All three are ruining the internet which was once a really unique experience."

@BubblesGump: I don't think anything can really function without a sound business model that ensures revenues for all concerned parties. There's nothing like a free lunch. When the internet was first launched, monetization options were not there and with the passage of time they emerged. I don't think there's anyone really to be blamed. When people want to consume content for free, someone has to pay for it. People end up paying by selling information to advertisers. It sounds like a win-win for both to me.

"Imagine an analytics vendor suffers a data breach (Adobe ran into some trouble a couple of months ago) and the company using their analytics tools did not respect the Terms and Conditions, they will be badly positioned in court. Analytics vendors need to become more transparent so that we can find a balance that works for both users and website owners"

@Aurelie: I think data breaches can be one of the most disasterous things that can happen to any company. Particularly if the company is an analytics service provider than the entire business can go down as the clients' trust will be severely affected. However, companies are also looking to get insurance against data breaches that can cover the loss in case an incident does happen.

@David: I think when HTML5 came out, one of the things that stood out (apart from many others) was the improved privacy and security. However, I think with the passage of time people have found out workarounds for it. I think when it comes to storing cookies, Flash did offer a better alternative.

Nice write up, I see the KUL folks are at it again with their pears at Princeton and as I read their initial paper about fingerprinting some months ago, I'm happy to see there's a follow up with stuff we've been facing for a while.

The comment by David R. Carr is an important one from a legal perspective and something I've been struggling with as well following this new write up: is something being installed on the users' device or not? Of what I had understood so far, digital fingerprinting as explained by the Electornic Frontier Foundation through their Panopticlick tool https://panopticlick.eff.org/, only pinged some data related to the browser used to uniquely identify a device. In the analytics sector, we've been doing this for a while to circumvent for certain browsers or setttings blocking cookies. So typically, unique ID would be attributed using these browser features and some server side data like IP. It's not ideal and far from accurate but helps to identify returning visitors. So far, this did not install anything on the user's machine. It seems that with canvas fingerprinting we migth be talking about something else and if something is indeed placed on the device, then according to EU legislation (the infamous Cookie Directive), this needs to be declared.

DNT is another issue all together and a more US based approach to online tracking. I have some clients who are exploring this as it's up to them to decide wether or not they want to respect DNT. Typically the header sends a DNT=1 variable but the website using the tracking technology can choose to respect this request or not. So while it's interesting for the user to have this blanket set-up from a browser perspective (as opposed to having to opt-out for every website), it's still not bullet proof as it doesn't mean the other side of the equation actually respects the header. Most analytics tools have some kind of way of working with this and typically Tealium, one of the major tag management solutions actually has 2 options: to first track and report on the header request and then actually block the setting of the cookie if indeed the DNt hear is set to 1.

So this brings it back to the responsiblilty of the website or digital property owner to respect the users whishes for less Privacy invasive technology. For now, the stance has been to hide behind "oh but we don't collect personal information or PII" but as the Californian Privacy Protection Act (CalOPPA) requires website owner to delcare how they reponsd to DNT we have more and more clients looking into the issue of being compliant without loosing too much data. It's interesting to see how the US based DNT principles partially overlap with the EU Cookie Directive.

And this boils down to understanding what your tracking technology is doing exactly in terms of data flows. More often than not, a website owner has no idea what exactly happens behind the scenes, let alone the terms and conditions of certain tracking tools. So I've seen companies being slapped on the wrist by data protection agencies because a Flash file firing LSO objects. I've also seen analytics tools having to settle lawsuits for ETags.

Digital property owners need to start thinking about what is acceptable in terms of tracking and about where their company might be liable. Imagine an analytics vendor suffers a data breach (Adobe ran into some trouble a couple of months ago) and the company using their analytics tools did not respect the Terms and Conditions, they will be badly positioned in court. Analytics vendors need to become more transparent so that we can find a balance that works for both users and website owners. Same goes for mobile with tools like MyPermissions, showing you what is being collected. We are getting there, slowly but surely but it's indeed not an ideal equilibrium as deviation from best practices can always be defended by the "oh but we had no idea" stance, certainly for companies who's initial business is data.

Does the canvass fingerprinting technique store something persistently on the user's PC or device? I would think an HTML5 canvas would only persist for as long as the web page was open in the browser window -- in which case this would be useful as a session-tracking mechanism for users who have disabled cookies, but not for ad tracking across multiple visits to the same site.

I confess I haven't studied HTML5 in detail -- and I do remember hearing about plans to give it some local storage capabilities -- so please correct me if I'm wrong.

Unbelievable, but not unexpected. An excellent program/extension/app, DoNotTrackMe, is available for Chrome and Firefox (don't know about IE as I don't use it). To date, it picks up virtually every attempt to track an individual and prevents such. It will tell you how many attempts are being made and who the culprits are. Since May 14, 2014, it has blocked 12,437 tracking attempts for me alone. DoNotTrackMe will allow a cookie to pass if blocking such would make the website unusable, but it does warn you of this and id's the offender. It also provides for masked emails that you can use for a specific sight then decide whether you want the email forwarded to your real account or not. This allows one to validate their logon when setting up an account but prevents future contacts and/or spamming to your real email account. DoNotTrackMe also provides for Credit/Debit Card protection and phone. Check the company out, Abine. Third party programs such as Glary Utilities Pro and Advanced System Care Pro will eliminate all the rest once you log out of your browser and close it. You'll find that using your browser's clearing/deleting functions fall woefully short. Using a router and a proxy server can further mask your real identity and obscure your movements. It sounds like the Ad companies are well aware of all of this and are working diligently to circumvent current privacy controls. My guess is our side will figure a way to deal with these new attempts and block them too. This will be an ongoing battle as so many companies depend on adverstising revenue and adverstisers clearly have the lobbying clout and feel they are entitled to invade your privacy more and more. I don't know which is worse anymore, American Businesses, the Government or the Hackers. All three are ruining the internet which was once a really unique experience.

To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.

Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.